From: Greg Hudson <ghudson@mit.edu>
Date: Fri, 26 Apr 2013 19:51:05 +0000 (-0400)
Subject: Check for keys in encrypted timestamp/challenge
X-Git-Tag: krb5-1.12-alpha1~189
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9593d1311fa5e6e841c429653ad35a63d17c2fdd;p=thirdparty%2Fkrb5.git

Check for keys in encrypted timestamp/challenge

Encrypted timestamp and encrypted challenge cannot succeed if the
client has no long-term key matching the request enctypes, so do not
offer them in that case.

ticket: 7630
---

diff --git a/src/kdc/kdc_preauth_ec.c b/src/kdc/kdc_preauth_ec.c
index 7acd99a242..720fefa43b 100644
--- a/src/kdc/kdc_preauth_ec.c
+++ b/src/kdc/kdc_preauth_ec.c
@@ -40,7 +40,12 @@ ec_edata(krb5_context context, krb5_kdc_req *request,
          krb5_kdcpreauth_edata_respond_fn respond, void *arg)
 {
     krb5_keyblock *armor_key = cb->fast_armor(context, rock);
-    (*respond)(arg, (armor_key == NULL) ? ENOENT : 0, NULL);
+
+    /* Encrypted challenge only works with FAST, and requires a client key. */
+    if (armor_key == NULL || !cb->have_client_keys(context, rock))
+        (*respond)(arg, ENOENT, NULL);
+    else
+        (*respond)(arg, 0, NULL);
 }
 
 static void
diff --git a/src/kdc/kdc_preauth_encts.c b/src/kdc/kdc_preauth_encts.c
index 83c6bf1a26..65f7c3629c 100644
--- a/src/kdc/kdc_preauth_encts.c
+++ b/src/kdc/kdc_preauth_encts.c
@@ -36,7 +36,11 @@ enc_ts_get(krb5_context context, krb5_kdc_req *request,
 {
     krb5_keyblock *armor_key = cb->fast_armor(context, rock);
 
-    (*respond)(arg, (armor_key != NULL) ? ENOENT : 0, NULL);
+    /* Encrypted timestamp must not be used with FAST, and requires a key. */
+    if (armor_key != NULL || !cb->have_client_keys(context, rock))
+        (*respond)(arg, ENOENT, NULL);
+    else
+        (*respond)(arg, 0, NULL);
 }
 
 static void